diff --git a/NEWS b/NEWS
index 2efc395b5..da771f115 100644
--- a/NEWS
+++ b/NEWS
@@ -38,6 +38,10 @@ Noteworthy changes in version 2.1.0-betaN (unreleased)
  * Only the major version number is by default included in the armored
    output.
 
+ * Do not create a trustdb file if --trust-model=always is used.
+
+ * Protect against rogue keyservers sending secret keys.
+
 
 Noteworthy changes in version 2.1.0beta3 (2011-12-20)
 -----------------------------------------------------
diff --git a/g10/gpg.c b/g10/gpg.c
index 15cbe4bcc..65a9cab99 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -3539,15 +3539,11 @@ main (int argc, char **argv)
       case aListTrustDB:
         rc = setup_trustdb (argc? 1:0, trustdb_name);
         break;
-      case aEncr:
-      case aEncrFiles:
+      default:
         /* If we are using TM_ALWAYS, we do not need to create the
            trustdb.  */
         rc = setup_trustdb (opt.trust_model != TM_ALWAYS, trustdb_name);
         break;
-      default:
-        rc = setup_trustdb (1, trustdb_name );
-        break;
       }
     if (rc)
       log_error (_("failed to initialize the TrustDB: %s\n"), g10_errstr(rc));
diff --git a/g10/tdbio.c b/g10/tdbio.c
index 0a659b141..db7a67c05 100644
--- a/g10/tdbio.c
+++ b/g10/tdbio.c
@@ -480,7 +480,7 @@ create_version_record (void)
 
 
 int
-tdbio_set_dbname( const char *new_dbname, int create )
+tdbio_set_dbname( const char *new_dbname, int create, int *r_nofile)
 {
     char *fname;
     static int initialized = 0;
@@ -490,6 +490,8 @@ tdbio_set_dbname( const char *new_dbname, int create )
 	initialized = 1;
     }
 
+    *r_nofile = 0;
+
     if(new_dbname==NULL)
       fname=make_filename(opt.homedir,"trustdb" EXTSEP_S GPGEXT_GPG, NULL);
     else if (*new_dbname != DIRSEP_C )
@@ -515,7 +517,9 @@ tdbio_set_dbname( const char *new_dbname, int create )
 	    xfree(fname);
 	    return G10ERR_TRUSTDB;
 	}
-	if( create ) {
+	if (!create)
+          *r_nofile = 1;
+        else {
 	    FILE *fp;
 	    TRUSTREC rec;
 	    int rc;
diff --git a/g10/tdbio.h b/g10/tdbio.h
index 252a393b7..4f37de44e 100644
--- a/g10/tdbio.h
+++ b/g10/tdbio.h
@@ -93,7 +93,7 @@ typedef struct trust_record TRUSTREC;
 
 /*-- tdbio.c --*/
 int tdbio_update_version_record(void);
-int tdbio_set_dbname( const char *new_dbname, int create );
+int tdbio_set_dbname( const char *new_dbname, int create, int *r_nofile);
 const char *tdbio_get_dbname(void);
 void tdbio_dump_record( TRUSTREC *rec, FILE *fp );
 int tdbio_read_record( ulong recnum, TRUSTREC *rec, int expected );
diff --git a/g10/trustdb.c b/g10/trustdb.c
index 733fa79bb..ea0739986 100644
--- a/g10/trustdb.c
+++ b/g10/trustdb.c
@@ -49,19 +49,22 @@ typedef struct key_item **KeyHashTable; /* see new_key_hash_table() */
  * the item right after the last one has a keyblock set to NULL.
  * Maybe we can drop this thing and replace it by key_item
  */
-struct key_array {
+struct key_array
+{
   KBNODE keyblock;
 };
 
 
-/* control information for the trust DB */
-static struct {
-    int init;
-    int level;
-    char *dbname;
+/* Control information for the trust DB.  */
+static struct
+{
+  int init;
+  int level;
+  char *dbname;
+  int no_trustdb;
 } trustdb_args;
 
-/* some globals */
+/* Some globals.  */
 static struct key_item *user_utk_list; /* temp. used to store --trusted-keys */
 static struct key_item *utk_list;      /* all ultimately trusted keys */
 
@@ -417,7 +420,7 @@ how_to_fix_the_trustdb ()
 
 
 void
-init_trustdb()
+init_trustdb ()
 {
   int level = trustdb_args.level;
   const char* dbname = trustdb_args.dbname;
@@ -429,7 +432,7 @@ init_trustdb()
 
   if(level==0 || level==1)
     {
-      int rc = tdbio_set_dbname( dbname, !!level );
+      int rc = tdbio_set_dbname( dbname, !!level, &trustdb_args.no_trustdb);
       if( rc )
 	log_fatal("can't init trustdb: %s\n", g10_errstr(rc) );
     }
@@ -525,10 +528,13 @@ void
 tdb_revalidation_mark (void)
 {
   init_trustdb();
-  /* we simply set the time for the next check to 1 (far back in 1970)
-   * so that a --update-trustdb will be scheduled */
+  if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
+    return;
+
+  /* We simply set the time for the next check to 1 (far back in 1970)
+     so that a --update-trustdb will be scheduled.  */
   if (tdbio_write_nextcheck (1))
-      do_sync ();
+    do_sync ();
   pending_check_trustdb = 1;
 }
 
@@ -560,8 +566,10 @@ read_trust_options(byte *trust_model,ulong *created,ulong *nextcheck,
   TRUSTREC opts;
 
   init_trustdb();
-
-  read_record(0,&opts,RECTYPE_VER);
+  if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
+    memset (&opts, 0, sizeof opts);
+  else
+    read_record (0, &opts, RECTYPE_VER);
 
   if(trust_model)
     *trust_model=opts.r.ver.trust_model;
@@ -619,6 +627,9 @@ tdb_get_ownertrust ( PKT_public_key *pk)
   TRUSTREC rec;
   int rc;
 
+  if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
+    return TRUST_UNKNOWN;
+
   rc = read_trust_record (pk, &rec);
   if (rc == -1)
     return TRUST_UNKNOWN; /* no record yet */
@@ -638,6 +649,9 @@ tdb_get_min_ownertrust (PKT_public_key *pk)
   TRUSTREC rec;
   int rc;
 
+  if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
+    return TRUST_UNKNOWN;
+
   rc = read_trust_record (pk, &rec);
   if (rc == -1)
     return TRUST_UNKNOWN; /* no record yet */
@@ -661,6 +675,9 @@ tdb_update_ownertrust (PKT_public_key *pk, unsigned int new_trust )
   TRUSTREC rec;
   int rc;
 
+  if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
+    return;
+
   rc = read_trust_record (pk, &rec);
   if (!rc)
     {
@@ -705,6 +722,9 @@ update_min_ownertrust (u32 *kid, unsigned int new_trust )
   TRUSTREC rec;
   int rc;
 
+  if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
+    return;
+
   pk = xmalloc_clear (sizeof *pk);
   rc = get_pubkey (pk, kid);
   if (rc)
@@ -761,6 +781,11 @@ tdb_clear_ownertrusts (PKT_public_key *pk)
   TRUSTREC rec;
   int rc;
 
+  init_trustdb ();
+
+  if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
+    return 0;
+
   rc = read_trust_record (pk, &rec);
   if (!rc)
     {
@@ -865,6 +890,9 @@ tdb_cache_disabled_value (PKT_public_key *pk)
 
   init_trustdb();
 
+  if (trustdb_args.no_trustdb)
+    return 0;  /* No trustdb => not disabled.  */
+
   rc = read_trust_record (pk, &trec);
   if (rc && rc != -1)
     {
@@ -893,6 +921,10 @@ tdb_check_trustdb_stale (void)
   static int did_nextcheck=0;
 
   init_trustdb ();
+
+  if (trustdb_args.no_trustdb)
+    return;  /* No trustdb => can't be stale.  */
+
   if (!did_nextcheck
       && (opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC))
     {
@@ -931,6 +963,14 @@ tdb_get_validity_core (PKT_public_key *pk, PKT_user_id *uid,
   unsigned int validity;
 
   init_trustdb ();
+
+  /* If we have no trustdb (which also means it has not been created)
+     and the trust-model is always, we don't know the validity -
+     return immediately.  If we won't do that the tdbio code would try
+     to open the trustdb and run into a fatal error.  */
+  if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
+    return TRUST_UNKNOWN;
+
   check_trustdb_stale();
 
   if(opt.trust_model==TM_DIRECT)